HIRT-PUB14011: GNU Bourne-Again Shell (Bash) 'Shellshock' issue in Hitachi products

(VU#252743, CVE-2014-6271, CVE-2014-7169)

Last Updated: October 7, 2014

GNU Bourne-Again Shell (Bash) contains a vulnerability that could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. This vulnerability is commonly referred to as "Shellshock".

September 24, 2014
GNU Bash vulnerability (CVE-2014-6271) in environment variables parsing was disclosed to the public. Security update for GNU Bash vulnerability (CVE-2014-6271) has been released for most major Linux distributions.

September 25, 2014
GNU Bash Incomplete Fix Remote Code Execution Vulnerability (CVE-2014-7169) was disclosed to the public.

September 26, 2014
Security update for GNU Bash vulnerability (CVE-2014-7169) has been released for most major Linux distributions. Also, Red Hat reported "Out of Bounds Memory Access Denial of Service Vulnerability (CVE-2014-7186)" and "Off-By-One Error Denial of Service Vulnerability (CVE-2014-7187)".

September 27, 2014
GNU Bash Incomplete Fix Remote Code Execution Vulnerability (CVE-2014-6277 and CVE-2014-6278) was disclosed to the public.

CVSS Severity

CVE-2014-6271: GNU Bash Remote Code Execution Vulnerability
CVE-2014-7169: GNU Bash Incomplete Fix Remote Code Execution Vulnerability
CVE-2014-7186: Out of Bounds Memory Access Denial of Service Vulnerability
CVE-2014-7187: Off-By-One Error Denial of Service Vulnerability
CVE-2014-6277: GNU Bash Incomplete Fix Remote Code Execution Vulnerability
CVE-2014-6278: GNU Bash Incomplete Fix Remote Code Execution Vulnerability

 Base Metrics: 10.0
  Access Vector: Network
  Access Complexity: Low
  Authentication: None
  Confidentiality Impact: Complete
  Integrity Impact: Complete
  Availability Impact: Complete

 Temporal Metrics 8.7 (September 27, 2014)
  Exploitablity: High
  Remediation Level: Official fix
  Report Confidence: Confirmed

http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

+ GNU Bash through 4.3
+ Linux, BSD, and UNIX distributions that use GNU Bash
+ Hitachi Products that use GNU Bash

By attacking a service that uses a vulnerable version of GNU Bash, a remote, unauthenticated attacker may be able to execute shell commands by attaching malicious code in environment variables used by the operating system.

Web application
CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script.

Secure Shell (SSH)
This issue can be used to execute any command to bypass the restricted command control.

DHCP client
DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to remotely execute arbitrary commands.

Mail server
qmail uses various environment variables to refer the value of mail from: and rcpt to:. This can be used to execute arbitrary commands by specially crafted environment variables.

Apply an update

This issue is addressed in GNU Bash. Followings are security update of Linux distributions. Also, please refer to the advisories in "5. Product Information" of Hitachi.

CentOS

CVE-2014-6271
[CentOS] Critical update for bash released today.
http://lists.centos.org/pipermail/centos/2014-September/146099.html

CVE-2014-7169
[CentOS-announce] CESA-2014:1306 Important CentOS 5 bash Security Update
http://lists.centos.org/pipermail/centos-announce/2014-September/020591.html

[CentOS-announce] CESA-2014:1306 Important CentOS 6 bash Security Update
http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html

[CentOS-announce] CESA-2014:1306 Important CentOS 7 bash Security Update
http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html

Debian

CVE-2014-6271
DSA-3032-1 bash -- security update
https://www.debian.org/security/2014/dsa-3032

CVE-2014-7169
DSA-3035-1 bash -- security update
https://www.debian.org/security/2014/dsa-3035

Red Hat

CVE-2014-6271
RHSA-2014-1293 Critical: bash security update
https://rhn.redhat.com/errata/RHSA-2014-1293.html

RHSA-2014-1294 Critical: bash security update
https://rhn.redhat.com/errata/RHSA-2014-1294.html

RHSA-2014-1295 Critical: bash Shift_JIS security update
https://rhn.redhat.com/errata/RHSA-2014-1295.html

CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
RHSA-2014-1306 Important: bash security update
https://rhn.redhat.com/errata/RHSA-2014-1306.html

RHSA-2014-1311 Important: bash security update
https://rhn.redhat.com/errata/RHSA-2014-1311.html

RHSA-2014-1312 Critical: bash Shift_JIS security update
https://rhn.redhat.com/errata/RHSA-2014-1312.html

CVE-2014-6277,CVE-2014-6278
Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux
https://access.redhat.com/solutions/1207723

Ubuntu

CVE-2014-6271,CVE-2014-7169
USN-2363-1: Bash vulnerability
http://www.ubuntu.com/usn/usn-2363-1/

USN-2363-2: Bash vulnerability
http://www.ubuntu.com/usn/usn-2363-2/

CVE-2014-7186,CVE-2014-7187
USN-2364-1: Bash vulnerabilities
http://www.ubuntu.com/usn/usn-2364-1/

October 6, 2014

+ AlaxalA Networks AX series <Products Confirmed Not Vulnerable>
     [AX8600R/6700S/6600S/6300S, AX4600S/3800S/3600S/2400S]
     [AX7800R/7700R/7800S/5400S]
     [AX2500S/2200S/1200S]
     [AX620R]

October 3, 2014

+ Hitachi Advanced Server HA8000 series <*>
+ Hitachi Advanced Server HA8500 series <*>
+ Client Blade FLORA bd100/bd500 series <*>
+ Thin Client FLORA Se210/Se330 series <*>
+ Hitachi bd Link <*>
+ Entry class disk array model BR1200 <*>
+ Tape Library L1/8A, Lx/24, Lx/30A, Lx/48, L20/300, L18/500, L56/3000, L64/8500 <*>
+ Hitachi UPS/Management software/Hitachi UPS option, PowerMonitor H, PowerMonitor H for Network,
   SNMP interface card, Disk interface card, SNMP+Disk interface card <*>
+ Display/Keyboard unit/Switch Console Unit <*>
+ Hitachi Server Navigator Update Manager, Log Collect, Log Monitor, Alive Monitor, RAID Navigator <*>
+ Hitachi Server Navigator Installation Assistant <*>
<*>: <Products Confirmed Not Vulnerable>

October 1, 2014

+ Hitachi Metals Switch Apresia series <Products Confirmed Not Vulnerable>
+ Hitachi Metals XLGMC/XGMC/GMC/GMX/eWAVE/BMC/GMA series <Products Confirmed Not Vulnerable>

September 30, 2014

+ Hitachi Open Middleware Products <Products Confirmed Not Vulnerable>
+ Hitachi Storage Products
+ VFP(Hitachi Virtual File Platform)

+ Virtage(BladeSymphonyBS2000/BS500/BS320/BS1000 series)

VU#252743: GNU Bash shell executes commands in exported functions in environment variables (2014-09-25)
http://www.kb.cert.org/vuls/id/252743

CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186

CVE-2014-7187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

TA14-268A: GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278) (2014-09-25)
https://www.us-cert.gov/ncas/alerts/TA14-268A

ICSA-14-269-01: Bash Command Injection Vulnerability (2014-09-26)
https://ics-cert.us-cert.gov/advisories/ICSA-14-269-01

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)